bundler-audit 0.5.0

bundler-audit provides patch-level verification for Bundled apps.

Homepage: https://github.com/rubysec/bundler-audit

Platform: Rubygems

Language: Ruby

License: GPL-3.0

Repository: https://github.com/postmodern/bundler-audit

View on registry: https://rubygems.org/gems/bundler-audit/versions/0.5.0

Documentation: http://www.rubydoc.info/gems/bundler-audit/0.5.0

Direct download link: https://rubygems.org/downloads/bundler-audit-0.5.0.gem

Install: gem install bundler-audit -v 0.5.0


bundler-audit

Description

Patch-level verification for Bundler.

Features

  • Checks for vulnerable versions of gems in Gemfile.lock.
  • Checks for insecure gem sources (http://).
  • Allows ignoring certain advisories that have been manually worked around.
  • Prints advisory information.
  • Does not require a network connection.

Synopsis

Audit a project's Gemfile.lock:

$ bundle-audit
Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91452
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/91452
Title: XSS vulnerability in sanitize_css in Action Pack
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91454
Criticality: Medium
URL: http://osvdb.org/show/osvdb/91454
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-89026
Criticality: High
URL: http://osvdb.org/show/osvdb/89026
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-91453
Criticality: High
URL: http://osvdb.org/show/osvdb/91453
Title: Symbol DoS vulnerability in Active Record
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-90072
Criticality: Medium
URL: http://direct.osvdb.org/show/osvdb/90072
Title: Ruby on Rails Active Record attr_protected Method Bypass
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-89025
Criticality: High
URL: http://osvdb.org/show/osvdb/89025
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activesupport
Version: 3.2.10
Advisory: OSVDB-91451
Criticality: High
URL: http://www.osvdb.org/show/osvdb/91451
Title: XML Parsing Vulnerability affecting JRuby users
Solution: upgrade to ~> 3.1.12, >= 3.2.13

Unpatched versions found!

Update the ruby-advisory-db that bundle audit uses:

$ bundle-audit update
Updating ruby-advisory-db ...
remote: Counting objects: 44, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 39 (delta 19), reused 29 (delta 10)
Unpacking objects: 100% (39/39), done.
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Updating 5f8225e..328ca86
Fast-forward
 CONTRIBUTORS.md                    |  1 +
 gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
 gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
 gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
 gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
 gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
 6 files changed, 73 insertions(+)
 create mode 100644 gems/actionmailer/OSVDB-98629.yml
 create mode 100644 gems/cocaine/OSVDB-98835.yml
 create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
 create mode 100644 gems/sounder/OSVDB-96278.yml
 create mode 100644 gems/wicked/OSVDB-98270.yml
ruby-advisory-db: 64 advisories

Update the ruby-advisory-db and check Gemfile.lock (useful for CI runs):

$ bundle-audit check --update

Ignore specific advisories:

$ bundle-audit check --ignore OSVDB-108664

Rake task:

require 'bundler/audit/task'
Bundler::Audit::Task.new

task default: 'bundle:audit'

Requirements

Install

$ gem install bundler-audit

License

Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)

bundler-audit is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

bundler-audit is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with bundler-audit. If not, see http://www.gnu.org/licenses/.

Releases

  • 0.5.0 - February 29, 2016 04:03
  • 0.4.0 - June 30, 2015 21:38
  • 0.3.1 - April 20, 2014 22:54
  • 0.3.0 - November 01, 2013 02:18
  • 0.2.0 - August 27, 2013 01:22
  • 0.1.2 - February 18, 2013 04:07
  • 0.1.1 - February 12, 2013 09:26
  • 0.1.0 - February 12, 2013 04:22

Project Statistics

SourceRank 18
Dependencies 2
Dependent projects 48
Dependent repositories 1.12K
Total releases 8
Latest release
First release
Stars 1.29K
Forks 101
Watchers 48
Contributors 24
Repo Size: 221 KB

Top Contributors See all

Postmodern Jon Frisby Michael Grosser Martin Eliot Sykes Juanito Fatas retornam Mark Borcherding Jacob Evans Roland Moriz Cédric Félizard Jan Rusnacko Andrey Korobkov Shane da Silva Alex Gaynor Peter Fry Stephen Touset Jordi Massaguer Pla Ilya Vassilevsky Jaime Iniesta

Something wrong with this page? Make a suggestion

Export .ABOUT file for this library

Last synced: 2016-11-15 06:11:42 UTC

Login to resync this project